Certified Information Security Manager (CISM) — Question 600

An information security manager determines there are a significant number of exceptions to a newly released industry-required security standard. Which of the following should be done NEXT?

Answer options

• A. Document risk acceptances.
• B. Conduct an information security audit.
• C. Assess the consequences of noncompliance.
• D. Revise the organization's security policy.

Correct answer: C

Explanation

The next logical step is to assess the consequences of noncompliance, as understanding the potential risks and impacts is crucial before taking further actions. Documenting risk acceptances, conducting an audit, or revising the policy may follow, but they should come after evaluating the implications of the current exceptions.